Merge branch 'release/0.16.2'

.babelrc

@@ -1,9 +0,0 @@
-{
-  "presets": [
-    ["env", {
-      "targets": {
-        "browsers": ["last 2 versions", "safari >= 7"]
-      }
-    }]
-  ]
-}

app/Http/Controllers/MicropubController.php

@@ -211,6 +211,16 @@ class MicropubController extends Controller
         ], 201)->header('Location', $media->url);
     }
 
+    /**
+     * Return the relavent CORS headers to a pre-flight OPTIONS request.
+     *
+     * @return \Illuminate\Http\Response
+     */
+    public function mediaOptionsResponse(): Response
+    {
+        return response('OK', 200);
+    }
+
     /**
      * Get the file type from the mimetype of the uploaded file.
      *

app/Http/Kernel.php

@@ -38,6 +38,7 @@ class Kernel extends HttpKernel
             \App\Http\Middleware\LinkHeadersMiddleware::class,
             \App\Http\Middleware\LocalhostSessionMiddleware::class,
             \App\Http\Middleware\ActivityStreamLinks::class,
+            \App\Http\Middleware\CSPHeader::class,
         ],
 
         'api' => [
@@ -62,5 +63,6 @@ class Kernel extends HttpKernel
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'micropub.token' => \App\Http\Middleware\VerifyMicropubToken::class,
         'myauth' => \App\Http\Middleware\MyAuthMiddleware::class,
+        'cors' => \App\Http\Middleware\CorsHeaders::class,
     ];
 }

app/Http/Middleware/CSPHeader.php

@@ -0,0 +1,72 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class CSPHeader
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        // headers have to be single-line strings,
+        // so we concat multiple lines
+        //return $next($request);
+        return $next($request)
+            ->header(
+                'Content-Security-Policy',
+                str_replace("\\\n", '', "default-src 'self'; \
+script-src 'self' 'unsafe-inline' 'unsafe-eval' \
+https://api.mapbox.com \
+https://analytics.jmb.lv \
+blob:; \
+style-src 'self' 'unsafe-inline' \
+https://api.mapbox.com \
+https://fonts.googleapis.com \
+use.typekit.net \
+p.typekit.net; \
+img-src 'self' data: blob: \
+https://pbs.twimg.com \
+https://api.mapbox.com \
+https://*.tiles.mapbox.com \
+https://jbuk-media.s3-eu-west-1.amazonaws.com \
+https://jbuk-media-dev.s3-eu-west-1.amazonaws.com \
+https://secure.gravatar.com \
+https://graph.facebook.com *.fbcdn.net \
+https://*.cdninstagram.com \
+analytics.jmb.lv \
+https://*.4sqi.net \
+https://upload.wikimedia.org \
+p.typekit.net; \
+font-src 'self' \
+https://fonts.gstatic.com \
+use.typekit.net \
+fonts.typekit.net; \
+connect-src 'self' \
+https://api.mapbox.com \
+https://*.tiles.mapbox.com \
+performance.typekit.net \
+data: blob:; \
+worker-src 'self' blob:; \
+frame-src 'self' https://www.youtube.com blob:; \
+child-src 'self' blob:; \
+upgrade-insecure-requests; \
+block-all-mixed-content; \
+report-to csp-endpoint; \
+report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;")
+            )->header(
+                'Report-To',
+                '{' .
+                    "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
+                    "'group': 'csp-endpoint'," .
+                    "'max-age': 10886400" .
+                '}'
+            );
+    }
+}

app/Http/Middleware/CorsHeaders.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class CorsHeaders
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $response = $next($request);
+        if ($request->path() === 'api/media') {
+            $response->header('Access-Control-Allow-Origin', '*');
+            $response->header('Access-Control-Allow-Methods', 'OPTIONS, POST');
+            $response->header(
+                'Access-Control-Allow-Headers',
+                'Authorization, Content-Type, DNT, X-CSRF-TOKEN, X-REQUESTED-WITH'
+            );
+            $response->header('Access-Control-Allow-Credentials', 'true');
+        }
+
+        return $response;
+    }
+}

changelog.md

@@ -1,7 +1,11 @@
 # Changelog
 
+## Version 0.16.2 (2018-04-07)
+  - Add CORS headers as necessary in the Laravel app (as oppose to using nginx)
+  - Add CSP headers
+
 ## Version 0.16.1 (2018-02-17)
-  - Fix issue where OwnYourSwarm requests inlude h-adr block for location
+  - Fix issue where OwnYourSwarm requests include h-adr block for location
 
 ## Version 0.16 (2018-02-16)
   - Update Laravel to 5.6

composer.json

@@ -34,13 +34,13 @@
     },
     "require-dev": {
         "barryvdh/laravel-debugbar": "~3.0",
-        "codedungeon/phpunit-result-printer": "^0.6.0",
+        "codedungeon/phpunit-result-printer": "^0.12.0",
         "filp/whoops": "~2.0",
         "fzaninotto/faker": "~1.4",
-        "jakub-onderka/php-parallel-lint": "^0.9.2",
+        "jakub-onderka/php-parallel-lint": "^1.0.0",
         "laravel/dusk": "^3.0",
         "mockery/mockery": "~1.0",
-        "nunomaduro/collision": "^1.1",
+        "nunomaduro/collision": "^2.0",
         "phpunit/phpunit": "~7.0",
         "symfony/thanks": "~1.0"
     },

dependencyci.yml

@@ -1,5 +0,0 @@
-# don't run unlicensed test on any development dependencies
-type:
-  development:
-    tests:
-      unlicensed: skip

package.json

@@ -5,40 +5,40 @@
     "repository": "https://github.com/jonnybarnes/jonnybarnes.uk",
     "license": "CC0-1.0",
     "dependencies": {
-        "a11y.css": "^4.4.0",
+        "a11y.css": "^4.5.0",
         "alertify.js": "^1.0.12",
         "mapbox-gl": "^0.44.1",
-        "marked": "^0.3.12",
+        "marked": "^0.3.17",
         "normalize.css": "^8.0.0"
     },
     "devDependencies": {
-        "ajv": "^6.1.1",
+        "@babel/core": "^7.0.0-beta.40",
+        "@babel/preset-env": "^7.0.0-beta.40",
+        "ajv": "^6.2.0",
         "ajv-keywords": "^3.1.0",
         "autoprefixer": "^8.0.0",
         "babel-cli": "^6.26.0",
-        "babel-core": "^6.26.0",
-        "babel-loader": "^7.1.2",
+        "babel-loader": "^8.0.0-beta.2",
         "babel-preset-env": "^1.6.1",
-        "babel-preset-es2015": "^6.18.0",
-        "babel-preset-latest": "^6.16.0",
         "babel-runtime": "^6.26.0",
-        "dotenv-webpack": "^1.5.4",
-        "eslint": "^4.17.0",
-        "eslint-config-standard": "^10.2.1",
-        "eslint-plugin-import": "^2.8.0",
-        "eslint-plugin-node": "^6.0.0",
+        "dotenv-webpack": "^1.5.5",
+        "eslint": "^4.18.1",
+        "eslint-config-standard": "^11.0.0",
+        "eslint-plugin-import": "^2.9.0",
+        "eslint-plugin-node": "^6.0.1",
         "eslint-plugin-promise": "^3.6.0",
         "eslint-plugin-standard": "^3.0.1",
         "husky": "^0.15.0-rc.8",
-        "lint-staged": "^6.1.0",
+        "lint-staged": "^7.0.0",
         "postcss-cli": "^5.0.0",
         "postcss-sass": "^0.3.0",
         "pre-commit": "^1.1.3",
         "source-list-map": "^2.0.0",
-        "stylelint": "^8.4.0",
-        "stylelint-config-standard": "^18.0.0",
-        "uglify-js": "^3.3.10",
-        "webpack": "^3.11.0",
+        "stylelint": "^9.1.1",
+        "stylelint-config-standard": "^18.2.0",
+        "uglify-js": "^3.3.12",
+        "webpack": "^4.0.1",
+        "webpack-cli": "^2.0.9",
         "webpack-sources": "^1.1.0"
     },
     "scripts": {

phpunit.xml

@@ -22,6 +22,9 @@
             <directory suffix=".php">./app</directory>
         </whitelist>
     </filter>
+    <listeners>
+        <listener class="NunoMaduro\Collision\Adapters\Phpunit\Listener" />
+    </listeners>
     <php>
         <env name="APP_ENV" value="testing"/>
         <env name="CACHE_DRIVER" value="array"/>

public/assets/js/a11y.js

@@ -1,2 +1,2 @@
-!function(modules){var installedModules={};function __webpack_require__(moduleId){if(installedModules[moduleId])return installedModules[moduleId].exports;var module=installedModules[moduleId]={i:moduleId,l:!1,exports:{}};return modules[moduleId].call(module.exports,module,module.exports,__webpack_require__),module.l=!0,module.exports}__webpack_require__.m=modules,__webpack_require__.c=installedModules,__webpack_require__.d=function(exports,name,getter){__webpack_require__.o(exports,name)||Object.defineProperty(exports,name,{configurable:!1,enumerable:!0,get:getter})},__webpack_require__.n=function(module){var getter=module&&module.__esModule?function(){return module.default}:function(){return module};return __webpack_require__.d(getter,"a",getter),getter},__webpack_require__.o=function(object,property){return Object.prototype.hasOwnProperty.call(object,property)},__webpack_require__.p="",__webpack_require__(__webpack_require__.s=4)}({4:function(module,exports,__webpack_require__){"use strict";function a11yCssExists(){var css=document.querySelectorAll("link[rel=stylesheet]"),exists=!1,_iteratorNormalCompletion=!0,_didIteratorError=!1,_iteratorError=void 0;try{for(var _step,_iterator=css[Symbol.iterator]();!(_iteratorNormalCompletion=(_step=_iterator.next()).done);_iteratorNormalCompletion=!0){"/assets/frontend/a11y.css/a11y-en.css"==_step.value.attributes.href.nodeValue&&(exists=!0)}}catch(err){_didIteratorError=!0,_iteratorError=err}finally{try{!_iteratorNormalCompletion&&_iterator.return&&_iterator.return()}finally{if(_didIteratorError)throw _iteratorError}}return exists}document.querySelector('input[name="a11y.css"]').addEventListener("change",function(){this.checked?function(){if(0==a11yCssExists()){var link=document.createElement("link");link.setAttribute("rel","stylesheet"),link.setAttribute("href","/assets/frontend/a11y.css/a11y-en.css");var head=document.querySelector("head");head.appendChild(link)}}():function(){if(1==a11yCssExists()){var link=document.querySelector('link[href="/assets/frontend/a11y.css/a11y-en.css"]'),head=document.querySelector("head");head.removeChild(link)}}()})}});
+!function(e){var t={};function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}n.m=e,n.c=t,n.d=function(e,t,r){n.o(e,t)||Object.defineProperty(e,t,{configurable:!1,enumerable:!0,get:r})},n.r=function(e){Object.defineProperty(e,"__esModule",{value:!0})},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=10)}({10:function(e,t){function n(){var e=document.querySelectorAll("link[rel=stylesheet]"),t=!1,n=!0,r=!1,o=void 0;try{for(var u,c=e[Symbol.iterator]();!(n=(u=c.next()).done);n=!0){"/assets/frontend/a11y.css/a11y-en.css"==u.value.attributes.href.nodeValue&&(t=!0)}}catch(e){r=!0,o=e}finally{try{n||null==c.return||c.return()}finally{if(r)throw o}}return t}document.querySelector('input[name="a11y.css"]').addEventListener("change",function(){this.checked?function(){if(0==n()){var e=document.createElement("link");e.setAttribute("rel","stylesheet"),e.setAttribute("href","/assets/frontend/a11y.css/a11y-en.css");var t=document.querySelector("head");t.appendChild(e)}}():function(){if(1==n()){var e=document.querySelector('link[href="/assets/frontend/a11y.css/a11y-en.css"]'),t=document.querySelector("head");t.removeChild(e)}}()})}});
 //# sourceMappingURL=a11y.js.map